iOS App Patching Solutions Introduce Security Risks: FireEye

Solutions designed to make it easier for iOS app developers to quickly push out hotfixes and updates can be abused by malicious actors to bypass mechanisms set in place by Apple in an effort to maintain a secure application ecosystem, FireEye has warned.

Apple smartphones and tablets running the iOS operating system are considered more secure than mobile devices running Google’s Android partly because users can only install applications from the official App Store, which hosts apps that undergo strict security and integrity checks.

This process must also be followed when a new release or hotfix is rolled out, which can be inconvenient and frustrating for app developers, especially when a quick fix is needed for a serious bug.

In order to address this issue, the community has developed tools that allow developers to push out patches and updates without having to go through Apple’s standard process. FireEye’s mobile security researchers have analyzed some of these alternatives in an effort to determine the risks they introduce.

A solution detailed this week is JSPatch, an open source tool built on top of Apple’s JavaScriptCore framework and currently found in more than 1,200 apps available in the App Store. Built by a Chinese developer, JSPatch is designed to allow app creators to quickly push out hotfixes for iOS apps simply by adding a few lines of code to their application.

This code, which represents the JSPatch engine, allows developers to change their app’s behavior via a JavaScript file that is loaded at runtime and which can be remotely controlled and delivered by the developer.

“JSPatch is a boon to iOS developers. In the right hands, it can be used to quickly and effectively deploy patches and code updates. But in a non-utopian world like ours, we need to assume that bad actors will leverage this technology for unintended purposes,” FireEye researchers said in a blog post. “Specifically, if an attacker is able to tamper with the content of JavaScript file that is eventually loaded by the app, a range of attacks can be successfully performed against an App Store application.”

Up until now, there have been two main attack vectors that malicious actors could use to target iOS systems. One of them involves malware that is designed to work on jailbroken devices, which allow users to install applications from third-party websites, such as in the case of the iOS malware dubbed KeyRaider.

Another method, which can be used against non-jailbroken devices as well, involves application sideloading via enterprise certificates, as seen in attacks using the YiSpecter malware. Apple has updated the sideloading process in iOS 9 in an effort to boost app security.

FireEye has described several scenarios in which a malicious actor can exploit JSPatch to target non-jailbroken devices. In the first scenario, the attacker develops a harmless application with JSPatch embedded and submits it to the Apple App Store. Once it passes Apple’s inspection, the app is made available on the App Store and downloaded by users.

The attacker can then easily send malicious JavaScript code to the running app via JSPatch, allowing them to perform various actions without being detected.

In another scenario, the attacker is an advertising SDK developer who provides an SDK with JSPatch enabled. Unwitting developers use the SDK in applications that they upload to the Apple App Store. Once the malicious app is installed, the attacker can send a JavaScript patch that gives them control of the application.

In a third scenario described by FireEye, the application developer uses JSPatch without any malicious intentions, but leaves communications between the client and the server unprotected. This allows a man-in-the-middle (MitM) attacker to intercept the connection and tamper with the JavaScript content sent to the app.

A malicious hacker can use this technique against applications using JSPatch to access sensitive information, including media files and the content of the pasteboard, change system properties, and load arbitrary public frameworks into the app process.

“Many developers have doubts that the App Store would accept technologies leveraging scripts such as JavaScript. According to Apple’s App Store Review Guidelines, apps that download code in any way or form will be rejected. However, the JSPatch community argues it is in compliance with Apple’s iOS Developer Program Information, which makes an exception to scripts and code downloaded and run by Apple's built-in WebKit framework or JavascriptCore, provided that such scripts and code do not change the primary purpose of the application by providing features or functionality that are inconsistent with the intended and advertised purpose of the application as submitted to the App Store,” FireEye said.

“The use of malicious JavaScript (which presumably changes the primary purpose of the application) is clearly prohibited by the App Store policy. JSPatch is walking a fine line, but it is not alone,” the security firm added.

Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.